Remove checks based on response_type #46
Conversation
|
I can confirm this PR to work; since https://github.com/aaronpk/indielogin.com got updated to the latest IndieAuth spec a week ago, it was no longer possible to log in to the IndieWeb wiki using Selfauth. Applying these edits by @Zegnat everything works smoothly again. |
|
I just updated my selfauth to this branch as well, and it works for me. The code changes also look reasonable. Could this please be merged in? |
|
Not a big fan of approving my own PRs. But making a note now that if nobody has had a look at this yet during the week, I am merging it anyway. Seems enough people have tried it out that it seems like a solid enough solution. |
|
I'd say go for it, especially because it's not clear who you're waiting for a review from 😄 |
Anyone, really. This repository is specifically set up that someone with write access needs to review and it cannot be the person who opens the PR. I also do not own this repository, so not sure how I feel about taking full responsibility 😉 Guess I will need to check if I have push rights into the master branch and see if I can merge manually with git and push a branch if no people with write access look at this repo anymore. |
IndieAuth has always had some weird handling of
response_type. All responses were always of OAuth typecode, but the standard defined its own typeidas well as making the field optional.In the latest version of the IndieAuth standard, these decisions have been revised in favour of sticking to OAuth’s more standard handling. IndieAuth only accepts
response_type=code. See indieweb/indieauth#42.For backwards compatibility, this change still accept both
codeandid, as well as an empty value. All checks about differences betweencodeandidhave been removed as it should all just be handled as if a client had used the valuecode.